Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Limit internet access to one proxy server.

We have a Cisco Router (1701) running IOS 12.4. I want to configure the router to only allow access to the internet and the various protocals via the proxy server (192.168.16.6). This is to help stop technically savy staff bypassing our proxy server for browsing and such.

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Limit internet access to one proxy server.

In the simple case where I assume your router only purpose is to get to the internet you can use a simple access list. This is just a sample of the more common ports.

access-list 110 permit tcp host 192.168.16.6 any

access-list 110 deny tcp any any eq www

access-list 110 deny tcp any any eq 443

access-list 110 deny tcp any any eq ftp-data

access-list 110 deny tcp any any eq ftp

access-list 110 deny tcp any any eq telnet

access-list 110 permit ip any any

You apply this inbound on the ethernet port.

Now if this router servers more function like you have remote sites behind it or there are other interfaces you will need to allow that traffic before you deny the traffic.

4 REPLIES
Gold

Re: Limit internet access to one proxy server.

You can policy route the traffic to the proxy but the proxy must be setup correctly to be transparent so the routing works.

If your proxy supports it you can also use WCCP to allow the proxy to tell the router which traffic to send the proxy.

You will never stop the true savy staff they will eventually just build ssl (https) tunnels through you proxy and surf whatever they please anyway.

New Member

Re: Limit internet access to one proxy server.

Your post has given me another avenue of thought but maybe mydescription threw you. Imagine that I have a LAN where everyone has their default gateway set to the router and they can browse the net freely. What I am hoping to do is only allow the IP of the Proxy server to get access via the router thus blocking direct routes from the client PC's.

Gold

Re: Limit internet access to one proxy server.

In the simple case where I assume your router only purpose is to get to the internet you can use a simple access list. This is just a sample of the more common ports.

access-list 110 permit tcp host 192.168.16.6 any

access-list 110 deny tcp any any eq www

access-list 110 deny tcp any any eq 443

access-list 110 deny tcp any any eq ftp-data

access-list 110 deny tcp any any eq ftp

access-list 110 deny tcp any any eq telnet

access-list 110 permit ip any any

You apply this inbound on the ethernet port.

Now if this router servers more function like you have remote sites behind it or there are other interfaces you will need to allow that traffic before you deny the traffic.

New Member

Re: Limit internet access to one proxy server.

That is exactly what I wanted. It is already in place and working. Many thanks.

239
Views
3
Helpful
4
Replies
CreatePlease login to create content